Skip to main content
Exam Guides 🇺🇸 · 12 min read

SAP-C02 Exam Traps: Migration Strategies and Modernization Pitfalls

Avoid the hardest SAP-C02 exam traps: the 7Rs of migration (including Relocate), DataSync vs Storage Gateway vs Transfer Family, DMS vs SCT, SCP deny override rules, and VPC peering non-transitivity. Includes 5 practice questions.

0 likes 0 comments

The AWS Solutions Architect Professional (SAP-C02) exam is notorious for questions where two or even three answers seem correct. The difference between passing and failing often comes down to knowing the subtle technical details that eliminate distractors.

This article covers the five most dangerous exam traps on the 2026 SAP-C02, with special focus on migration and modernization (Domain 4) and cross-domain traps that appear throughout the exam. We include reference tables, a decision tree for IAM/SCP permissions, and 5 practice questions with full explanations.

Trap #1: The 7Rs of Migration -- Most Candidates Only Know 6

AWS defines seven migration strategies (the 7Rs). Most study materials and candidates remember only six, forgetting "Relocate." This is a deliberate exam trap -- when Relocate is the correct answer and you do not know it exists, you pick the wrong option.

Strategy Description Example
1. Retire Decommission applications no longer needed Legacy app with zero active users
2. Retain Keep as-is (not ready or not worth migrating) Mainframe with 2-year replacement plan
3. Rehost (lift and shift) Move to AWS with no code changes VM to EC2 using Application Migration Service
4. Relocate (hypervisor-level lift and shift) Move to AWS without purchasing new hardware, using VMware Cloud on AWS VMware vSphere VMs moved to VMware Cloud on AWS with no changes
5. Repurchase (drop and shop) Replace with a SaaS product On-premises CRM replaced with Salesforce
6. Replatform (lift, tinker, and shift) Minor optimizations during migration MySQL on EC2 migrated to RDS MySQL (managed, no code changes)
7. Refactor (re-architect) Redesign using cloud-native features Monolith decomposed into Lambda + DynamoDB + API Gateway
The Relocate Trap: If a question describes a company running VMware vSphere on-premises and wanting to move to AWS "with minimal changes and without re-purchasing licenses," the answer is Relocate using VMware Cloud on AWS. This is NOT the same as Rehost (which involves converting VMs to EC2 instances). Relocate keeps the VMware hypervisor layer intact.

Trap #2: DataSync vs Storage Gateway vs Transfer Family

These three services all move data, but they serve fundamentally different purposes. The exam loves to test the boundaries between them.

Service Purpose Direction Use Case
DataSync High-speed data transfer (one-time or recurring) On-prem to AWS, AWS to AWS Migrate NFS/SMB file shares to S3/EFS/FSx. Scheduled sync.
Storage Gateway Hybrid storage with local cache On-prem apps access AWS storage locally On-prem app needs low-latency access to S3 data via NFS/iSCSI. Tape backup to S3 Glacier.
Transfer Family Managed SFTP/FTPS/FTP endpoint backed by S3/EFS External partners upload to AWS Trading partners upload files via SFTP without changing their workflow.

Decision rules:

  • "Migrate large dataset from on-premises NFS to S3" = DataSync
  • "On-premises application needs to access S3 files with low latency" = Storage Gateway (File Gateway)
  • "External partners upload files via SFTP" = Transfer Family
  • "Replace on-premises tape backup" = Storage Gateway (Tape Gateway)
  • "Sync files between two S3 buckets in different regions" = DataSync (it supports AWS-to-AWS transfers)

Trap #3: DMS vs SCT -- They Are Used Together for Heterogeneous Migrations

AWS Database Migration Service (DMS) and the Schema Conversion Tool (SCT) are complementary, not alternatives. The exam tests whether you understand when to use each -- and when to use both.

  • DMS: Migrates data from source to target database. Supports continuous replication (CDC -- Change Data Capture). Works with homogeneous (Oracle to Oracle) and heterogeneous (Oracle to Aurora PostgreSQL) migrations.
  • SCT: Converts schema (tables, views, stored procedures, triggers) from one database engine to another. Only needed for heterogeneous migrations. SCT does NOT migrate data.

The trap: A question describes migrating from Oracle to Aurora PostgreSQL. One answer says "Use DMS." Another says "Use SCT." The correct answer is "Use SCT to convert the schema, then use DMS to migrate the data" -- you need both.

Exam Tip: For homogeneous migrations (same engine, e.g., MySQL to Aurora MySQL), you only need DMS -- no schema conversion required. For heterogeneous migrations (different engines, e.g., Oracle to PostgreSQL), you need BOTH SCT (schema) and DMS (data). If the question mentions "stored procedures" or "schema conversion," SCT is required.

Trap #4: SCP Deny Cannot Be Overridden -- Even by the Account Administrator

This is perhaps the single most important IAM concept on the SAP-C02. In AWS Organizations, a Service Control Policy (SCP) with a Deny statement cannot be overridden by any identity policy, resource policy, or permission boundary in the member account. Not even the root user of the member account can perform a denied action.

Why candidates get this wrong: In standalone (non-Organizations) accounts, the root user has unrestricted access. Candidates carry this assumption into Organizations questions. But in Organizations, SCPs constrain member accounts -- and the root user of a member account is subject to SCPs.

Important nuance: SCPs do NOT affect the management account. The management account always has full permissions regardless of SCPs. This is by design (so you cannot lock yourself out of the organization), but it also means you should minimize workloads in the management account.

Common exam scenario: "A security team needs to ensure that no one in any account can disable CloudTrail logging." The answer is an SCP Deny on cloudtrail:StopLogging and cloudtrail:DeleteTrail applied at the organization root. No IAM policy in any member account can override this.

Trap #5: VPC Peering Is Non-Transitive

VPC peering creates a direct network connection between two VPCs. But it is non-transitive: if VPC-A is peered with VPC-B, and VPC-B is peered with VPC-C, VPC-A cannot reach VPC-C through VPC-B.

  VPC-A  <----peering---->  VPC-B  <----peering---->  VPC-C

  VPC-A can reach VPC-B: YES
  VPC-B can reach VPC-C: YES
  VPC-A can reach VPC-C: NO (non-transitive)

  To connect all three, you need:
  Option 1: Full mesh peering (A-B, B-C, A-C) -- does not scale
  Option 2: Transit Gateway (hub-spoke) -- recommended for 3+ VPCs

The trap: A question describes three VPCs that need to communicate, with existing peering between A-B and B-C. The wrong answer says "this architecture already supports A-C communication." The correct answer recognizes that an additional peering connection (A-C) or a Transit Gateway is needed.

When to choose Transit Gateway over VPC peering:

  • 3 or more VPCs that need to communicate = Transit Gateway
  • Need centralized routing control = Transit Gateway
  • Need to connect to VPN or Direct Connect = Transit Gateway
  • Only 2 VPCs, simple connectivity, low cost = VPC Peering

Migration Services Quick-Reference Table

Service What It Migrates Key Feature
Application Migration Service (MGN) Servers (VMs, physical) Continuous block-level replication, automated cutover
DMS Database data CDC for continuous replication, minimal downtime
SCT Database schema Converts stored procedures, views, triggers between engines
DataSync Files (NFS, SMB, HDFS) 10x faster than open-source tools, automatic integrity check
Transfer Family Files via SFTP/FTPS/FTP Managed endpoint, external partner integration
Snow Family Large datasets (offline) Snowcone (14 TB), Snowball Edge (80 TB), Snowmobile (100 PB)
Migration Hub Tracking (not migration itself) Central dashboard to track migration progress across tools
Application Discovery Service Assessment (not migration itself) Agentless or agent-based discovery of on-prem servers

IAM/SCP Effective Permissions Decision Tree

Use this decision tree when evaluating whether an action is allowed or denied in an Organizations environment:

Is the account the MANAGEMENT account?
  YES --> SCPs do NOT apply. Evaluate IAM policies only.
  NO  --> Continue...

Does any SCP in the hierarchy contain an explicit DENY for the action?
  YES --> ACTION DENIED. Full stop. Nothing can override this.
  NO  --> Continue...

Does the SCP hierarchy ALLOW the action? (Remember: default is FullAWSAccess)
  NO  --> ACTION DENIED (implicit deny from SCP).
  YES --> Continue...

Does the IAM identity policy ALLOW the action?
  NO  --> ACTION DENIED (no identity grant).
  YES --> Continue...

Is there a permission boundary attached to the user/role?
  YES --> Does the boundary allow the action?
    NO  --> ACTION DENIED.
    YES --> Continue...
  NO  --> Continue...

Does any resource policy explicitly DENY the action?
  YES --> ACTION DENIED.
  NO  --> ACTION ALLOWED.
Memory Aid: Think of permissions as a series of gates. The SCP is the first gate -- if it says Deny, you cannot pass regardless of what is behind it. Each subsequent gate (identity policy, permission boundary, resource policy) must also allow the action. A Deny at ANY gate blocks the action.

5 Practice Questions with Explanations

Question 1: A company is migrating from on-premises VMware vSphere to AWS. The infrastructure team wants to move existing VMs to AWS with minimal changes while preserving the VMware management tools and licenses they already own. Which migration strategy should they use?

A. Rehost using AWS Application Migration Service
B. Relocate using VMware Cloud on AWS
C. Replatform using Amazon EC2 with VMware AMIs
D. Refactor using Amazon ECS with containerized workloads

Show Answer

Answer: B -- Relocate using VMware Cloud on AWS moves VMware workloads to AWS-hosted VMware infrastructure without changing the VMs, management tools, or licenses. Rehost (A) converts VMs to EC2 instances, losing the VMware layer. Replatform (C) involves optimizations not described. Refactor (D) involves redesigning the application entirely.

Question 2: A company needs to migrate a 50 TB Oracle database to Amazon Aurora PostgreSQL. The migration must include stored procedures, views, and triggers. The database must remain available during migration with minimal downtime. Which combination of AWS services should be used?

A. AWS DMS only with full-load and CDC
B. AWS SCT to convert schema, then AWS DMS with full-load and CDC
C. AWS SCT to convert schema and migrate data
D. Amazon S3 as staging, then bulk load into Aurora

Show Answer

Answer: B -- This is a heterogeneous migration (Oracle to PostgreSQL), so SCT is required to convert the schema (including stored procedures, views, and triggers). DMS then migrates the data using full-load plus CDC for minimal downtime. DMS alone (A) cannot convert stored procedures. SCT (C) does not migrate data. S3 staging (D) would require significant custom work and more downtime.

Question 3: A company has three VPCs: VPC-A (us-east-1), VPC-B (us-east-1), and VPC-C (eu-west-1). VPC-A is peered with VPC-B. VPC-B is peered with VPC-C. An application in VPC-A needs to communicate with a database in VPC-C. What should the solutions architect do?

A. Update route tables in VPC-B to route traffic between VPC-A and VPC-C
B. Create a new VPC peering connection between VPC-A and VPC-C
C. Deploy a Transit Gateway in us-east-1 and attach all three VPCs
D. Configure a VPN connection between VPC-A and VPC-C

Show Answer

Answer: B -- VPC peering is non-transitive, so A cannot reach C through B regardless of route table configuration (A is wrong). A direct peering connection between VPC-A and VPC-C is the simplest solution for connecting two specific VPCs. Transit Gateway (C) would work but is over-engineered for connecting just two additional VPCs and VPC-C is in a different region (requiring inter-region TGW peering). A VPN (D) adds unnecessary complexity.

Question 4: A security team in a multi-account AWS Organization needs to prevent any IAM user or role in member accounts from disabling AWS Config. The security team has already applied IAM policies restricting this action, but they want an additional guardrail that cannot be bypassed. What should they implement?

A. An IAM permission boundary on all IAM users and roles denying config:StopConfigurationRecorder
B. An SCP at the organization root denying config:StopConfigurationRecorder and config:DeleteConfigurationRecorder
C. An AWS Config rule that detects when Config is disabled and automatically re-enables it
D. A CloudWatch alarm that triggers a Lambda function to re-enable Config when disabled

Show Answer

Answer: B -- An SCP Deny at the organization root is the only mechanism that cannot be overridden by any identity policy in member accounts. Permission boundaries (A) must be attached to every user/role and could be removed by an admin. Config rules (C) and CloudWatch/Lambda (D) are reactive (detect and fix after the fact), not preventive. The question asks for a guardrail that "cannot be bypassed" -- that is an SCP.

Question 5: A company needs to transfer 200 TB of data from an on-premises NFS file share to Amazon S3. The company has a 1 Gbps Direct Connect connection. The transfer must complete within 2 weeks. Which approach minimizes transfer time?

A. Use AWS DataSync with the Direct Connect connection
B. Use AWS Storage Gateway File Gateway to cache data locally and sync to S3
C. Order two AWS Snowball Edge Storage Optimized devices
D. Use S3 Transfer Acceleration with multipart uploads

Show Answer

Answer: A -- A 1 Gbps connection can transfer approximately 10 TB/day, completing 200 TB in about 20 days. However, DataSync optimizes network utilization and can use parallel streams to maximize throughput, making the 2-week deadline achievable. Snowball Edge (C) involves shipping time (5-7 days each way) plus loading time, likely exceeding 2 weeks. Storage Gateway (B) is designed for hybrid access, not bulk migration. S3 Transfer Acceleration (D) optimizes internet transfers, not Direct Connect.

Want More Practice? CertLand has 380 SAP-C02 practice questions at professional difficulty, each with multi-constraint scenarios and full explanations. Every question explains why the correct answer satisfies all requirements AND why each distractor fails on at least one constraint.

The SAP-C02 exam rewards precision. Knowing that VPC peering is non-transitive, that SCPs cannot be overridden, that DMS and SCT serve different roles, and that Relocate is a distinct migration strategy -- these details are what separate a passing score from a near-miss. Study these traps, internalize the decision frameworks, and walk into exam day knowing you will not fall for them.

Ready to practice at professional level? Try CertLand's SAP-C02 practice exams today.

Comments

Sign in to leave a comment.

No comments yet. Be the first!

Comments are reviewed before publication.